Privacy Policy
Throw It On The List throwitonthelist.com Last Updated: May 2026
This Privacy Policy describes how Throw It On The List (“we,” “our,” or “us”) collects, uses, stores, and shares information when you use our task management application at throwitonthelist.com (the “Service”). Please read this policy carefully. By using the Service, you agree to the practices described below.
1. Information We Collect
1.1 Account Information
To use the Service, you must have a registered user account. When you register or are granted access, we collect and store:
- Username and display name
- Email address
- Password (stored as a cryptographic hash — your plaintext password is never retained)
- User avatar (from your WordPress profile or Gravatar)
- WordPress user role assigned to your account
1.2 Content You Create
When you use the Service, we store the content you create, including:
- Lists — titles, descriptions, visibility settings, colour, icon, and per-list priority configuration
- List items — titles, descriptions (including rich text/HTML content), due dates, priority assignments, and status/state
- Tags — site-wide labels you apply to items
- States — custom workflow stages you define for each list (name, colour, icon, order)
- Comments — text comments you post on list items
- File attachments — images you upload to list items (JPEG and PNG formats)
1.3 Collaboration and Sharing Data
When you share lists with other users, we collect and store:
- List membership records — which users have access to which lists, and their assigned role (Owner, Editor, or Viewer)
- Invitation records — the email address used to invite a collaborator and the acceptance status of that invitation
- Link-share tokens — randomly generated access tokens used in shareable list URLs
- Password hashes — cryptographic hashes of passwords you set on password-protected lists (plaintext passwords are never stored)
1.4 Activity and Usage Data
To power the Activity Feed and audit trail features, we automatically log events that occur within the Service, including:
- Who created, updated, moved, or deleted a list item
- Who changed a list’s settings or states
- Who joined or was removed from a list
- Who posted a comment
- Timestamps of all logged actions
Activity records are associated with your user account and are retained for 30 days, after which they are automatically and permanently deleted. Activity records associated with a deleted list are deleted immediately upon list deletion.
1.5 Notification Data
We store in-app notification records associated with your user account, including the notification type, relevant item or list reference, and read/unread status. We also store your per-notification-type preferences (e.g. whether you have opted in or out of assignment notifications, comment notifications, invitation notifications, and due date reminders).
1.6 Session Data
When you access a password-protected list and enter the correct password, we set a session cookie on your browser to maintain your temporary, view-only access to that list. This cookie does not persist beyond your browser session.
WordPress standard authentication cookies are also set when you log in to your account.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — create, display, and manage your lists, items, states, and collaborator memberships
- Enable collaboration — share lists and items with the users you designate, and display user identity (name and avatar) within shared lists
- Send email notifications — notify you and your collaborators of relevant events (see Section 4 below)
- Power the Activity Feed — maintain a short-term audit trail of list activity for you and your collaborators
- Deliver in-app notifications — surface real-time or near-real-time alerts within the application
- Enforce security — verify passwords, enforce rate limits on failed login attempts, and protect against unauthorised access
- Maintain and improve the Service — diagnose technical issues and monitor application health
We may use your data for advertising or profiling, but do not freely give or sell it to third parties.
3. How We Share Your Information
3.1 With Your Collaborators
When you share a list with other users, those users will be able to see:
- The content of that list and its items (according to their role)
- The display name and avatar of other members of that list
- Activity feed entries attributing actions to specific users (Owners see all events; Editors and Viewers see item and comment events only)
- Assignee identities on list items
When another user invites you to a list, the list owner can see your username and email address for the purpose of managing membership.
3.2 Link Share and Password-Protected Access
If you enable Link Share on a list, any person who obtains the share URL — including users who are not registered on the Service — may access that list at the permission level you configure. You are responsible for how you distribute share links. Regenerating a share token immediately invalidates all previously shared URLs.
3.3 Service Providers
We may use third-party infrastructure providers (such as web hosting services) who process data on our behalf under confidentiality obligations. We do not sell or rent your personal data to any third party.
3.4 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.
4. Email Notifications
We send email notifications to you in connection with the following events, subject to your notification preferences:
| Event | Recipients |
|---|---|
| You are assigned to a list item | You (the assignee) |
| A comment is posted on an item you are assigned to or authored | Item author and all assignees |
| You are invited to collaborate on a list | You (the invitee) |
| A list item assigned to you is due within 24 hours | Item author and all assignees |
You can opt out of any or all of these email notification types at any time via your Notification Preferences in account settings. Opting out of email notifications does not affect in-app notifications.
We occasionally send marketing emails in addition to transactional notifications directly related to your activity on the Service.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Retained while your account is active |
| List and item content | Retained until you delete the list or item |
| File attachments | Retained until deleted by an Owner or Editor |
| Comments | Retained until deleted |
| Activity feed records | Automatically purged after 30 days; deleted immediately on list deletion |
| In-app notifications | Retained while your account is active |
| Notification preferences | Retained while your account is active |
| Session cookies (password-protected lists) | Browser session only |
When a list is deleted, all associated content — items, states, activity records, comments, and attachments — is permanently deleted.
6. Security
We take reasonable technical and organisational measures to protect your data, including:
- Password hashing — account passwords and list passwords are stored using secure one-way cryptographic hashes; plaintext passwords are never stored or transmitted
- Rate limiting — repeated failed password attempts on password-protected lists trigger a temporary lockout to prevent brute-force attacks
- Input sanitisation — all user-supplied content is sanitised before storage to prevent injection attacks
- Capability checks — all REST API endpoints enforce per-user permission checks; users cannot access lists or items beyond their assigned role
- HTTPS — all data transmitted between your browser and the Service is encrypted in transit
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
7. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| WordPress authentication cookies | Maintain your logged-in session | Session / as configured |
| TIOTL unlock session cookie | Grant temporary view access to a password-protected list | Browser session |
We do not use advertising cookies, analytics cookies, or any cookies from third-party tracking services.
8. Children’s Privacy
The Service is not directed at children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information without appropriate consent, please contact us and we will take steps to delete it.
9. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — update inaccurate or incomplete personal data (your display name and email can be updated in your account settings)
- Deletion — request deletion of your account and associated personal data
- Restriction / Objection — object to or request restriction of certain processing activities
- Portability — request your data in a portable format
To exercise any of these rights, please contact us using the details in Section 11. We will respond within the timeframe required by applicable law.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page. For material changes, we will make reasonable efforts to notify you (for example, by emailing the address associated with your account or by displaying a notice within the Service). Your continued use of the Service after any change constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: feedback@throwitonthelist.com.